name: Test macOS Build Action on: workflow_dispatch: # Manual trigger only for testing push: branches: [ozgur/build] jobs: test-macos-build: runs-on: macos steps: - name: Checkout repository uses: actions/checkout@v3 with: lfs: true fetch-depth: 0 - name: Check entitlements file run: | # Check if entitlements files exist if [ -f "LuckyWorld.entitlements" ]; then echo "Using existing LuckyWorld.entitlements file" ENTITLEMENTS_FILE="LuckyWorld.entitlements" elif [ -f "LuckyRobots.entitlements" ]; then echo "Using existing LuckyRobots.entitlements file" ENTITLEMENTS_FILE="LuckyRobots.entitlements" else echo "Creating default entitlements file as LuckyWorld.entitlements" # Create entitlements file line by line instead of heredoc echo '' > LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-jit' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-unsigned-executable-memory' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.disable-library-validation' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.cs.allow-dyld-environment-variables' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.device.audio-input' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo ' com.apple.security.device.camera' >> LuckyWorld.entitlements echo ' ' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements echo '' >> LuckyWorld.entitlements ENTITLEMENTS_FILE="LuckyWorld.entitlements" fi echo "Using entitlements file: $ENTITLEMENTS_FILE" echo "ENTITLEMENTS_FILE=$ENTITLEMENTS_FILE" >> "$GITHUB_ENV" shell: bash # Step 1: Setup environment - name: Setup environment run: | # Use the correct path where Unreal Engine is installed UE_PATH="/Users/Shared/Epic Games/UE_5.5" if [ ! -d "$UE_PATH" ]; then echo "Warning: Unreal Engine is not installed in the expected location" echo "This is expected in CI environment - continuing anyway" fi # Create directories for builds mkdir -p Builds/Mac mkdir -p PackagedReleases echo "Using Unreal Engine 5.5" # Get the working directory path for absolute paths WORKSPACE_DIR="$(pwd)" echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV" shell: bash # Step 2: Build for macOS - name: Build for macOS run: | if [ -f "./scripts/mac_build.sh" ]; then chmod +x ./scripts/mac_build.sh ./scripts/mac_build.sh else echo "Build script not found, skipping this step" fi shell: bash # Step 3: Create keychain and import certificate - name: Create keychain and import certificate env: CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} run: | # Debug: Print working directory echo "Current working directory: $(pwd)" echo "Contents of Builds directory:" find Builds -type d | sort # Create keychain KEYCHAIN_PATH="${WORKSPACE_DIR}/build.keychain" KEYCHAIN_PASSWORD="temporary" # Create and configure keychain security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" # Set keychain search list and make it default security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g) security default-keychain -s "$KEYCHAIN_PATH" # Decode and import certificate echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12 # Download Apple certificates curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer # Import Apple root certificates properly # Use -T to restrict access to codesign instead of -A (which is insecure) echo "Importing Apple WWDRCA certificate..." security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f openssl echo "Importing Developer ID certificate..." security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f openssl # Import developer certificate with proper parameters echo "Importing developer certificate..." security import certificate.p12 -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -f pkcs12 # Set partition list - important for automated signing without UI prompts security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" # Verify certificates were imported correctly echo "Listing imported certificates..." security find-certificate -a "$KEYCHAIN_PATH" # Export keychain path and password for later use echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" echo "Certificate imported to keychain" shell: bash # Step 4: Find and prep app for signing - name: Find and prep app for signing run: | # Find app bundle - look everywhere APP_PATHS=$(find . -type d -name "*.app" 2>/dev/null) if [ -z "$APP_PATHS" ]; then # No *.app extension found, look in Builds/Mac directory for any directory APP_PATHS=$(find ./Builds/Mac -type d -mindepth 1 -maxdepth 1 2>/dev/null) fi if [ -z "$APP_PATHS" ]; then echo "ERROR: Could not find any app bundles!" exit 1 fi echo "Found potential app bundles:" echo "$APP_PATHS" # Use the first app path found APP_PATH=$(echo "$APP_PATHS" | head -1) # Get app name for later use APP_NAME=$(basename "$APP_PATH") echo "Using app bundle: $APP_PATH" echo "App name: $APP_NAME" echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV" echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV" shell: bash # Step 5: Sign application with codesign - improved based on forums - name: Sign application env: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | echo "Signing app bundle: $APP_PATH" echo "Using entitlements file: $ENTITLEMENTS_FILE" # First sign PhysX and problematic frameworks specifically (based on forum reports) echo "🔍 Signing PhysX and special libraries first..." find "$APP_PATH" -type f -name "*PhysX*" -o -name "*APEX*" | while read SPECIAL_LIB; do if [ -f "$SPECIAL_LIB" ]; then echo "Signing special library: $SPECIAL_LIB" /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$SPECIAL_LIB" fi done # Sign all dylib files echo "🔍 Signing all .dylib files..." find "$APP_PATH" -type f -name "*.dylib" | while read DYLIB; do echo "Signing dylib: $DYLIB" /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$DYLIB" done # Sign all .so files echo "🔍 Signing all .so files..." find "$APP_PATH" -type f -name "*.so" | while read SO; do echo "Signing .so: $SO" /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$SO" done # Sign all executables in frameworks echo "🔍 Signing framework executables..." find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | while read FMWK_BIN; do echo "Signing framework binary: $FMWK_BIN" /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$FMWK_BIN" done # Sign all other executables echo "🔍 Signing other executables..." find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read EXEC; do echo "Signing executable: $EXEC" /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$EXEC" done # Sign all frameworks echo "🔍 Signing frameworks..." find "$APP_PATH" -name "*.framework" -type d | while read FRAMEWORK; do echo "Signing framework: $FRAMEWORK" /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$FRAMEWORK" done # Finally sign the app bundle itself with entitlements echo "🔍 Signing the main app bundle with entitlements..." /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --options runtime --deep --timestamp "$APP_PATH" # Verify signature echo "Verifying signature..." /usr/bin/codesign --verify --verbose "$APP_PATH" # Use spctl to check if app is acceptable by Gatekeeper echo "Checking if app will pass Gatekeeper validation..." spctl -vvv --assess --type exec "$APP_PATH" if [ $? -eq 0 ]; then echo "✅ Code signing and Gatekeeper validation was successful" else echo "⚠️ Gatekeeper validation had warnings, but continuing with notarization" fi shell: bash # Step 6: Notarize application - name: Notarize application env: API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }} API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} run: | echo "Preparing for notarization..." # Create API key file echo "$API_KEY_PATH" | base64 --decode > api_key.p8 API_KEY_FILE="$(pwd)/api_key.p8" # Create a zip archive for notarization NOTARIZE_APP_PATH="LuckyWorld-notarize.zip" echo "Creating archive for notarization: $NOTARIZE_APP_PATH" # Use ditto to preserve bundle structure ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" # Check if zip file was created successfully if [ ! -f "$NOTARIZE_APP_PATH" ]; then echo "❌ Failed to create notarization archive" exit 1 fi echo "Submitting for notarization..." echo "API Key ID: $API_KEY_ID" echo "API Key File: $API_KEY_FILE" # Submit for notarization using API key NOTARIZE_OUTPUT=$(xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait) echo "Notarization response:" echo "$NOTARIZE_OUTPUT" # Check if notarization was successful if [[ "$NOTARIZE_OUTPUT" =~ "status: Accepted" ]]; then echo "✅ Notarization successful" else echo "⚠️ Notarization may have failed. Checking status..." # Extract submission ID if available SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "id:" | awk '{print $2}') if [ -n "$SUBMISSION_ID" ]; then echo "Checking submission $SUBMISSION_ID..." xcrun notarytool info "$SUBMISSION_ID" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" # Continue even if notarization failed - we'll staple if possible echo "⚠️ Continuing despite potential notarization issues..." else echo "⚠️ No submission ID found. Continuing anyway..." fi fi # Staple the notarization ticket to the app echo "Stapling notarization ticket to app..." xcrun stapler staple "$APP_PATH" # Verify stapling echo "Verifying stapling..." stapler validate "$APP_PATH" if [ $? -eq 0 ]; then echo "✅ Stapling successful" else echo "⚠️ Stapling verification may have failed. This is sometimes expected for new apps." echo "⚠️ Continuing with packaging..." fi # Clean up rm -f "$NOTARIZE_APP_PATH" "$API_KEY_FILE" shell: bash # Step 7: Package macOS App - name: Package macOS App run: | echo "Packaging signed app bundle: $APP_PATH" # Create zip package (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")") echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip" echo "Packaged releases:" ls -la PackagedReleases/ shell: bash # Step 8: Upload macOS Build Artifact - name: Upload macOS Build Artifact uses: actions/upload-artifact@v3 if: success() with: name: LuckyWorld-macOS path: PackagedReleases/LuckyWorld-macOS.zip retention-days: 365 # Step 9: Cleanup - name: Cleanup if: always() run: | # Clean up keychain and certificates if [ -n "$KEYCHAIN_PATH" ]; then security delete-keychain "$KEYCHAIN_PATH" || true fi # Clean up certificate files rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer api_key.p8 || true echo "Cleanup complete" shell: bash